Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Large distributed brute force attack underway

Update at 10am EST, Feb 11th: The attack appears to be abating with brief spikes in activity. We’ve upped the amount of attacks you see on the security map on www.wordfence.com to 50% and as you can see traffic is reduced. We’re continuing to monitor this and will email an update if necessary.

As of 11am eastern time this morning we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date. The real-time attack map on www.wordfence.com became so busy that we’ve had to throttle the amount of traffic we show down to 4% of actual traffic.

Starting at 11am EST this morning we saw a roughly 30 times increase in the volume of brute force attacks across WordPress websites running the WordPress.org software. The attack ramped up so quickly that we initially questioned the data we were seeing and immediately deployed code to verify that the reports we were receiving were accurate and not an attack on our own systems. Within a few seconds it became clear that the attack was in fact real and being reported from across the universe of WordPress websites.

Some definitions if you’re not in the InfoSec field: A brute force attack is when an attacker tries many times to guess your username password combination by repeatedly sending login attempts. A distributed brute force attack is when an attacker uses a large number of machines spread around the internet to do this in order to circumvent any blocking mechanisms you have in place.

If you’re using the free or paid version of Wordfence you should have the option to “Participate in the real-time Wordfence security network” under ‘Other options’ enabled. This will immediately block any attack originating from an IP address that has attacked other WordPress sites. This is an effective defense against this kind of attack.

We recommend that until this passes you monitor your WordPress websites closely for unusual activity including logins, account creation or changes to the public facing website.

Hi Brett. Yes similar reports from our other customers. Thankfully we actually added throttling to those email alerts in a recent update so as long as you're running the newest Wordfence which is 4.0.3 you won't get overwhelmed by those emails.

We run a real-time server that receives reports from sites running Wordfence when they get a hack attempt. When you hit our website at www.wordfence.com and are viewing the map, you are plugged directly into that system. This morning the system alerted us to a big increase in attacks. A symptom of this was that the map on our home page was overwhelmed because it couldn't display attacks fast enough.

We immediately started investigating suspecting that the data might be faulty. We started by verifying that the reports we were getting were legitimate. Turns out they are and as of 2:08 PM EST the attack is still underway.

The reason you're not seeing reports in main-stream media is because they rely on sources like us and if we want to be heard we have to put out a press release or call a newspaper so that we can compete with all the other companies who want to be heard and get written about. Honestly we don't have the time to reach out to folks to make sure they're writing about us. I'd rather focus on keeping your WordPress site safe and improving our product. I've been written about in the past e.g. I made top 50 websites of 2005 in Time Magazine for a different company. Also got written about by Bob Tedeschi in the NYTimes where he wrote a feature article covering a past business of mine. It's not 'all that' and it really has little impact on improving the experience my customers have or improving our product. I refused 2 interview requests in the last week. Just don't have the time. I'd rather talk to you and the rest of my customers on the forums, here, directly via social media and in our ticketing system.

So we're quite happy to keep our heads down and let our product and service speak for itself.

My site has been under attack all day long. Wordfence is doing a fantastic job of blocking these clowns. When I look at the IPs I've noticed the majority of them are in Russia. I'm using Wordfence on 6 of my sites and noticed that none of the others have been attacked yet. Now since I've enabled that participation checkbox in all of them, I wonder if they're being protected because the other site is the one being targeted.

In both the free and paid version of Wordfence, if you check the option "Participate in the real-time Wordfence security network" under the "Options" page then the section "Other Options", IP addresses will be immediately blocked that have attacked other WordPress sites running Wordfence.

Thanks for the info and email I received about the attack. It would be helpful in the future to acknowledge that the “Participate in the real-time Wordfence security network” is enabled by default (as I'm assuming it actually is). It will just help those less familiar with Wordpress security who may have installed your product and left it unchanged from the defaults, from freaking out. It also breeds confidence in your product in that you actively monitor and anticipate attacks like this straight "out of the box".

You run a great service and I thank you for it, I hope this feedback helps.

The "Live Site Activity" list on several of my sites indicates a lot of attempts to connect with adminstrator login pages that would be present on a Joomla site, so they may be trolling for older Joomla installations (so I think this is a pretty broad attack). Most of the suspicious transactions are coming from Russia, Ukraine, Turkey, and China. WordFence seems to be handling it fine on the WordPress sites...

I don't know much about the details of these attacks, but I have one question. If I understood it well, with ddos attacks the ip-address is often spoofed, meaning it isn't actually a real ip address. How is that with the IP-addresses in these brute force attacks? Are they real or could they be spoofed also? It wouldn't make sense to block spoofed IP-addresses, would it?
I wasn't aware of the way the Participate option works. I will enable this option on the many WP sites where I have installed Wordfence.

Thanks for the feedback, will keep that in mind. Just to answer your question re spoofing: It's actually very difficult to spoof an IP address on the Internet because the core routers these days are smart enough to know that an IP is arriving from a network with an impossible address. So they drop spoofed packets.

It is possible to spoof IP addresses at the application level by sending fake HTTP X-Forwarded headers, but we don't consider these when looking at the data on our monitoring servers.

However it's really not that difficult to hack a large number of machines on the Net and install code that executes constantly (a daemon) or periodically (a cron job) and does things. If you discover a vulnerability in a WordPress plugin for example, simply write a script that probes hundreds of thousands of WordPress sites for the hole, exploit it when you find it and you'll have several thousand machines under your control in no time. No need to spoof, just get real machines with real IP addresses and launch a distributed attack. The reason this is so feasible is because there are many old servers with old WordPress or other software out there that haven't been upgraded and have known vulnerabilities in them.

I was using maxCDN but stopped after I noticed attacks coming from maxCDN IPs. I contacted maxCDN who told me that the IPs were all being spoofed. This is concerning as the two options are to whitelist maxCDN IPs or have maxCDN IPs blocked by my server security which has caused the CDN to fail from time to time. In the end, I simply pulled out of CDN as I am lucky to have a pretty fast SSD server.
If the spoofing reports from maxCDN are accurate, it is extremely concerning.

Have been getting these attempts ALL Day. The IP addresses keep changing from all around the world. Russia, Fiji, US, Canada, Argentina, Taiwan, India ... everywhere.
Figure there must be some IP spoofing going on.
It's annoying plus am wondering what hit this gives to the server.

Thanks for these updates. I bumped up my setting to "imminent attack" and it looks like I still had two of my sites hit. It installed a phishing file and in two cases I'm using the same theme here is the message from Wordfence -
Alert generated at Tuesday 11th of February 2014 at 03:05:24 AM
Critical Problems:

My sites were all down yesterday for most of the day. I usually wait up to 10 minutes for chat to open up for support on my hosting, but waited over 1/2 hour, to get an error message. So then I called, was on hold over an hour, and immediately my sites were working again...but they would not tell me what was happening other than they had to do "emergency maintenance"....What does that sound like???? The girl said she didn't know, and wanted to give me a forum link...

I am guessing they got hit, and just put all sites down until the owners called about it? Sound feasible? But why they won't say what is going on is beyond me....

I use the PRO version on three of my sites , and the free version on the other ( quickly figured about 20 - 25 ) and I have not noticed anything about these attacks yet .

I am sure that it is Wordfence that has kept the bad guys away. Previously, the affected sites had plenty of attack.

In my case, to a large extent, the websites are designed for clubs and associations where it primarily acts as a sort of intranet for members ( signing up for events and internal communications ), and only secondarily as information to the rest of the world. Therefore I'm in a situation that I can allow myself to cut off large parts of the world for access .
Thus, I simply cut off all visits / logins from Russia, China , Vietnam and other countries in that part of the world, via the excellent feature PRO version.
Before I did this, I analyzed where the attacks came from. The few who were from other places than the blocked countries, can easily be managed by the rest of the system.

All ADMIN LOGINS features SMS verification - just as an extra safety.

Since I've done this , I really felt that I was able to sleep peacefully at night knowing that I, through this product protects my websites .

Just read about what's been going on and I wonder if this could be an issue for me, too. My hosting company is more or less trying to convince me that I'm DDOS-ing myself, from my own web browser and they have disabled my account. In reality, I did have a bunch of edit post tabs open (10-15); but this was never an issue in the past and this seems surreal to me. I'm afraid that they don't believe me.

The real time attack map still looks like it is much busier than I have seen it in the past. I'm curious, is that because more people are checking the "Participate in the Real-Time WordPress Security Network" box or is there still an increase in attacks? I am also wondering just how the "Maximum email alerts to send per hour" box works. If I set it for 60 does it throttle it to one per minute or does it take the first 60 and ignore the rest?

Hi David. It's nothing compared to the peak of the attack mentioned in this post. But it does ebb and flow. Hoping to graph that soon. The throttling works by limiting sending to a window which is the current hour as defined by number of hours since midnight Jan 1 1970 in your server's timezone. Sorry I know that's technical, but the short version is: We pick a window of time that spans an hour and limit sending during that window. Once we skip to the next window the counter resets.

I believe that the actual site which is under attack is Wings Over Scotland. Probably all the other attacks are to divert attention from the real target. I suspect that the attacks are a response to the site's effectiveness in the Scottish Independence campaign.

We see hundreds of attacks on our server every day. We use a mix of WordPress security plugins. As a first line of defense, we use CSF, Behavior monitoring, custom Mod Sec rules as well as AntiVirus and AntiMalware scanning of all files uploaded to the server.
We wouldnt be seeing such large attacks if the hosts and networks actually took action when instances were reported. They simply do not care.
If activity of this nature is reported to a host or ISP and they do nothing, they should be punished by losing assigned IP ranges for repeated offenses.

I am now getting multiple bad login attempts at certain times (like 2pm, 5pm etc - cron job), from distributed ip addresses. I think they now know they can't easily get past wordfence and are attempting a form of DDOS by overloading smtp etc.

You already know this - hence the inclusion of email throttling in the settings, my only comment would be to set throttling by default to discourage such attempts.